[Freeipa-users] Re: what is the difference between idm:client and idm:DL1

2019-11-11 Thread Rob Crittenden via FreeIPA-users
Charles Hedrick wrote: > so it’s valid to use DL1 on a system that isn’t a KDC but needs some package > such as the proxy that isn’t in client? Yep. rob > >> On Nov 11, 2019, at 2:28 PM, Rob Crittenden wrote: >> >> Charles Hedrick via FreeIPA-users wrote: >>> In Centos 8, there are two stream

[Freeipa-users] Re: what is the difference between idm:client and idm:DL1

2019-11-11 Thread Charles Hedrick via FreeIPA-users
so it’s valid to use DL1 on a system that isn’t a KDC but needs some package such as the proxy that isn’t in client? > On Nov 11, 2019, at 2:28 PM, Rob Crittenden wrote: > > Charles Hedrick via FreeIPA-users wrote: >> In Centos 8, there are two streams for idm software. You need DL1 for a >> s

[Freeipa-users] Re: what is the difference between idm:client and idm:DL1

2019-11-11 Thread Rob Crittenden via FreeIPA-users
Charles Hedrick via FreeIPA-users wrote: > In Centos 8, there are two streams for idm software. You need DL1 for a > server. But it seems to have client software as well. Is that the same in > both streams? We have a web server with the KDC proxy. It appears that we > would need DL1 to get that.

[Freeipa-users] what is the difference between idm:client and idm:DL1

2019-11-11 Thread Charles Hedrick via FreeIPA-users
In Centos 8, there are two streams for idm software. You need DL1 for a server. But it seems to have client software as well. Is that the same in both streams? We have a web server with the KDC proxy. It appears that we would need DL1 to get that. Is that reasonable for a system that isn’t a KDC

[Freeipa-users] Re: IPA healthcheck for older versions

2019-11-11 Thread Rob Crittenden via FreeIPA-users
Alex Corcoles wrote: > On Mon, Nov 11, 2019 at 3:48 PM Rob Crittenden > wrote: > > Jones, Bob (rwj5d) via FreeIPA-users wrote: > > If you’re making these sorts of changes, might I suggest a flag to > generate Nagios safe output that is just a summary of how

[Freeipa-users] Re: IPA healthcheck for older versions

2019-11-11 Thread Charles Hedrick via FreeIPA-users
Wouldn’t that also expose the main web UI, and IPA commands? Seems like a much larger attack surface. On Nov 11, 2019, at 1:27 PM, Alex Corcoles mailto:a...@corcoles.net>> wrote: On Mon, Nov 11, 2019 at 5:45 PM Charles Hedrick mailto:hedr...@rutgers.edu>> wrote: I use Kerberos at home. So do a

[Freeipa-users] Re: IPA healthcheck for older versions

2019-11-11 Thread Alex Corcoles via FreeIPA-users
On Mon, Nov 11, 2019 at 5:45 PM Charles Hedrick wrote: > I use Kerberos at home. So do a couple of faculty. I have a Kerberos > https: proxy set up on one of our public web servers. This is less than > ideal, as it requires installing separate Kerberos software for both Mac > and Windows. The Ker

[Freeipa-users] Re: IPA healthcheck for older versions

2019-11-11 Thread Charles Hedrick via FreeIPA-users
I use Kerberos at home. So do a couple of faculty. I have a Kerberos https: proxy set up on one of our public web servers. This is less than ideal, as it requires installing separate Kerberos software for both Mac and Windows. The Kerberos protocol is standardized across OSs, but not the proxy s

[Freeipa-users] Re: IPA healthcheck for older versions

2019-11-11 Thread Jones, Bob (rwj5d) via FreeIPA-users
Yes, the checkipaconsistency normal output is something like this: ++--+--+--+---+ | FreeIPA servers: | host01 | host02 | host03 | STATE | ++--+--+--+---+ | Active Users | 8| 8

[Freeipa-users] Re: IPA healthcheck for older versions

2019-11-11 Thread Alex Corcoles via FreeIPA-users
On Mon, Nov 11, 2019 at 3:48 PM Rob Crittenden wrote: > Jones, Bob (rwj5d) via FreeIPA-users wrote: > > If you’re making these sorts of changes, might I suggest a flag to > generate Nagios safe output that is just a summary of how many > warnings/errors were found like the way checkipaconsistency

[Freeipa-users] Re: FreeIPA 4.8.1 on Fedora 31 (upgraded from F30) fails to start

2019-11-11 Thread Alex Scheel via FreeIPA-users
- Original Message - > From: "Wulf C. Krueger via FreeIPA-users" > > To: freeipa-users@lists.fedorahosted.org > Cc: "Wulf C. Krueger" > Sent: Sunday, November 10, 2019 10:02:08 AM > Subject: [Freeipa-users] Re: FreeIPA 4.8.1 on Fedora 31 (upgraded from F30) > fails to start > > On 2019

[Freeipa-users] Re: IPA healthcheck for older versions

2019-11-11 Thread Rob Crittenden via FreeIPA-users
Jones, Bob (rwj5d) via FreeIPA-users wrote: > On Nov 10, 2019, at 7:30 PM, Rob Crittenden via FreeIPA-users > wrote: >> >> You can probably get away with running it once a day. With the exception >> of the replication checks these aren't all that dynamic. You would catch >> things like permission

[Freeipa-users] Re: IPA healthcheck for older versions

2019-11-11 Thread Jones, Bob (rwj5d) via FreeIPA-users
On Nov 10, 2019, at 7:30 PM, Rob Crittenden via FreeIPA-users wrote: > > You can probably get away with running it once a day. With the exception > of the replication checks these aren't all that dynamic. You would catch > things like permission and FS space issues earlier I suppose. > > I'll m

[Freeipa-users] Re: IPA healthcheck for older versions

2019-11-11 Thread Alex Corcoles via FreeIPA-users
On Mon, Nov 11, 2019 at 1:30 AM Rob Crittenden wrote: > I'm open to suggestions on this. I don't mean for it to scare anyone but > the consequences can be head scratching. I have a blog entry on it that > gets quite a few views. > Well, I think the ideal would be to prevent this from happening i